Improvements to Compliance in Exchange 2016 (Part 1)

Introduction

Email has become a reliable and universal communication medium for workers in organizations of all sizes all over the world. As previously discussed in several other MSExchange.org articles, mailboxes often contain valuable data, so it is crucial for organizations to have policies in place that dictate the fair use of their messaging systems, provide user guidelines for how to act on the policies and, where required, provide details about the types of communication that may not be allowed.

Email lifecycle is also important so organizations can retain emails for the length of time based on business, legal, and regulatory requirements, preserve emails for litigation and investigation purposes, and be prepared to search and provide the required information in eDiscovery requests.

As with Exchange 2013 and, in part 2010, Exchange 2016 includes several messaging policy and compliance features. The following is a high-level overview of these:

In-Place Archiving helps administrators regain control of the organization’s messaging data by eliminating the need for personal store (.PST) files and allowing users to store messages in an archive mailbox accessible in Outlook and Outlook on the Web (OWA);

In-Place Hold and Litigation Hold: organizations might sometimes be required to preserve electronically stored information, including email that is relevant to an investigation case. Litigation Hold allows administrators to place all items in a mailbox on hold while with In-Place Hold administrators can search and preserve emails matching query parameters. In both cases, emails (and other items such as calendar items) are protected from permanent deletion, modification and tampering and can be preserved indefinitely or for a specified period;

In-Place eDiscovery allows administrators to search mailbox data across the Exchange organization, preview search results, and copy search results to a Discovery mailbox or export them to a PST file;

Administrator audit logging enables organizations to keep a log of changes made by administrators to the Exchange environment and organization configuration. These might be used as part of change control process or to track changes and access to configuration and recipients for compliance purposes;

Mailbox audit logging: mailboxes can contain personal, sensitive and/or high business impact information, so it is important for some organizations to track who logs on to the mailboxes (usually by users other than the mailbox owner) and what actions are taken. Using mailbox audit logging, administrators can log mailbox access by administrators, delegates, and even mailbox owners;

Data loss prevention (DLP): Exchange 2016 includes 80 sensitive information types that are ready for administrators to use in DLP policies;

Transport rules can be used to look for specific conditions in emails as they pass through the organization and take action on them.

Improvements

All of the topics mentioned above have already been covered extensively at MSExchange.org for either Exchange 2010 and/or 2013. In this article, we will cover the following improvements made in Exchange 2016:

In-Place Hold and eDiscovery for Public Folders: a deficiency with In-Place Hold in Exchange 2010 and 2013 is that only mailboxes can be put on hold. Exchange 2016 has integrated Public Folders (PF) into the In-Place Hold and eDiscovery workflow. This means that administrators can use In-Place eDiscovery to search PFs in the organization and place them on hold. Similar to placing a mailbox on hold, we can use query-based or time-based holds on PFs. At the time of writing this article, we can only search and place a hold on all PFs, but I am sure that in a later release we will be able to choose specific PFs to search and place on hold;

Compliance Search is a new eDiscovery search tool in Exchange 2016 with new and improved scaling and performance capabilities. We can use this tool to search very large numbers of mailboxes in a single search as there is no limit on the number of mailboxes that can be searched, so it is possible to search all mailboxes in the organization in one search independently of how many mailboxes there are. There is also no limit on the number of searches that can run concurrently. The limits in Exchange 2016 in regards to In-Place eDiscovery are the same as in Exchange 2013: we can search up to 10,000 mailboxes in a single search and we can run a maximum of 2 In-Place eDiscovery searches at the same time.

In-Place Hold and eDiscovery for Public Folders

As I have mentioned, we can now use In-Place eDiscovery to search for content in PFs and place content in PF on In-Place Hold. Like content in mailboxes, content in PF might be relevant if an organization has to respond to legal requests such as lawsuits or regulatory investigations.

Before we begin, the account we use needs to be a member of the Compliance Management management role group before we can use In-Place Hold and eDiscovery features:

Figure 1

Before we start, it is important to note the following:

We can include mailboxes and PF in the same eDiscovery search. However, when using an In-Place Hold to place content in PFs on hold, if we select the option to search all mailboxes in the organization, we cannot use the search to place a hold on any of the content sources of the search;

We can only search or place holds on all PFs in the organization. We cannot select specific PFs to search;

Moving PFs to a different PF mailbox does not affect searching or placing holds on PFs that have been moved;

PF mailboxes are counted against the source mailbox limit for the eDiscovery search;

We cannot delete PFs that are on In-Place Hold. We have to remove the hold before we can delete any PF;

Mail-enabling a PF does not impact using In-Place eDiscovery to search or place holds on PFs.

Public Folder In-Place Hold and eDiscovery using the EAC

The process of using the Exchange Admin Center to place PFs on Hold is identical to when placing mailboxes on Hold, with just a couple of differences:

In the EAC, go to compliance management and then select in-place eDiscovery & hold:

Figure 2

Click on the new + icon;

On the Name and description page, type a name for the search, add an optional description, and then click Next:

Figure 3

On the Mailboxes and Public folders page, under Mailboxes select Don’t search any mailboxes, otherwise we will not be able to enable an In-Place Hold for the search. Under Public folders, click Search all public folders:

Figure 4

On the Search query page, select Filter based on criteria to specify search criteria, including keywords, start and end dates, sender and recipient addresses, and message types. If we select Include all content, all content in the selected sources will be included in the search results:

Figure 5

On the In-Place Hold settings page, select the Place content matching the search query in selected mailboxes on hold to place an In-Place Hold on all PFs in the organization. As to the options for the hold duration select either:

Hold indefinitely to place items returned by the search on an indefinite hold. Items on hold will be preserved until we remove PFs from the search or remove the search;

Specify number of days to hold items relative to their received date to hold items in PFs for a specific period. For example, we can use this option if the organization requires that PF content be retained for at least seven years.

Figure 6

Click Finish to save the search and return an estimate of the total size and number of items that will be returned by the search or placed on hold based on the criteria we specified. Estimates are displayed in the details pane on the In-Place eDiscovery & Hold page. Select a search and then click Refresh to update the information about the search that’s displayed in the details pane:

Figure 7

Similar to a “normal” eDiscovery, we can also get a preview of the results, although it seems no preview is actually available. While for a normal eDiscovery we can see results per mailbox, with PF we see per PF mailbox (in this case PF1 is the name of one PF mailbox):

Public Folder In-Place Hold and eDiscovery using the Shell

It is easy to achieve the same results using the Exchange Management Shell. Such as with Exchange 2013, we need to use the New-MailboxSearch cmdlet but now with new parameters. This cmdlet creates a mailbox search and either gets an estimate of search results, places search results on In-Place Hold or copies them to a Discovery mailbox. We can also place all contents on hold by not specifying a search query, which accomplishes similar results as Litigation Hold in Exchange 2010. Let us look at a few examples.

Example 1

This example is basically the same as what we did using the EAC: we will be placing in an unlimited hold duration every item in Public Folders that have the work “project x”:

In this example we only create an estimate search that searches all PFs in the organization for items sent between October 1, 2015 and November 30, 2015 and that contain the phrases “project x” and “funds”. The search does not include any mailboxes:

This example searches all mailboxes and PFs for any content that contains the words “project x” and that was sent after October 1, 2015. The difference in this example is that we are also searching all mailboxes in the organization.

Conclusion

In this article we explored the improvements made to Exchange 2016 in terms of compliance, specifically the In-Place Hold and eDiscovery for Public Folders, a long time due feature. In the next and final part of this article series, we will look at the new Compliance Search feature.